coverme-scanner
v4.2.1
Published
AI-powered security scanner with 33 agents including AI-generated code detection. STRIDE/DREAD scoring, adversarial review, professional PDF reports.
Downloads
177
Maintainers
slack-aiReadme
CoverMe
The Most Comprehensive AI Security Scanner for Your Codebase
23 AI Agents | AST Analysis | STRIDE + DREAD | Professional PDF Reports | Zero Config
Quick Start | Features | Agents | Reports | Custom Agents
Why CoverMe?
Traditional security scanners are noisy (too many false positives) and blind (miss context-specific issues).
CoverMe is different:
| Traditional Scanners | CoverMe | |---------------------|---------| | Single-pass analysis | 21 specialized AI agents working in parallel | | Pattern matching | Deep understanding of your code's intent | | Generic rules | Auto-detects your stack and adapts | | 60%+ false positives | Cross-validation eliminates noise | | Requires configuration | Zero config - just run it |
Quick Start
# Install globally
npm install -g coverme-scanner
# Initialize in your project (one-time)
coverme init
# Run the scan (in Claude Code)
/covermeThat's it. Watch 23 AI agents analyze your entire codebase and generate a professional PDF or HTML report.
Features
Auto-Detection
CoverMe automatically detects your stack and adapts its scanning:
| Category | Auto-Detected | |----------|---------------| | Auth | OAuth, JWT, Session, Clerk, Auth0, NextAuth, Supabase Auth, Firebase, Passport.js, API Keys | | Database | PostgreSQL, MySQL, MongoDB, Redis, DynamoDB, Supabase, Prisma, TypeORM, Drizzle, PlanetScale, Neon, Turso | | Framework | React, Next.js, Express, Fastify, NestJS, Django, FastAPI, Flask | | AI/LLM | OpenAI, Anthropic, LangChain, Ollama, HuggingFace, Bedrock, Vertex AI | | Infra | Docker, Kubernetes, Terraform, GitHub Actions, GitLab CI |
Smart Skipping
Agents that aren't relevant to your project automatically skip:
- No AI code? AI Security Scanner skips.
- No Redis? Redis Scanner skips.
- No enclaves? Enclave Scanner skips.
Zero noise. Maximum relevance.
23 Specialized Agents
| Agent | What It Finds | |-------|---------------| | Advanced Static Analysis | AST dead code detection, duplication detection, STRIDE classification, DREAD scoring | | Security Core | OWASP Top 10, SQL/NoSQL injection, XSS, Command injection, SSRF, Path traversal | | Auth & Session | OAuth flaws, JWT vulnerabilities, session fixation, cookie security, MFA bypass | | API Security | CORS misconfiguration, rate limiting, IDOR, mass assignment, webhook security | | Database | SQL injection, ORM-specific issues, connection security, RLS bypass | | Redis & Cache | KEYS command abuse, Lua injection, cache poisoning, session security | | AI/LLM | Prompt injection, content filter bypass, PII in prompts, jailbreak vectors |
| Agent | What It Finds | |-------|---------------| | Infrastructure | Docker security, K8s misconfig, CI/CD secrets, IaC issues | | Data & Privacy | PII exposure, GDPR violations, encryption gaps, data retention | | Performance | N+1 queries, memory leaks, ReDoS, blocking operations | | Business Logic | Race conditions, TOCTOU, workflow bypass, pricing exploits | | Code Quality | Complexity, dead code, error handling, anti-patterns | | Dead Code | Unused dependencies, unreachable code, stale feature flags |
| Agent | What It Does | |-------|--------------| | Design Decision Detector | Identifies intentional patterns to prevent false positives | | Context-Aware Validator | Understands deployment context (K8s, API gateway, WAF) | | Network & Architecture | Service boundaries, trust zones, NetworkPolicy gaps | | Resilience & Fallback | Circuit breakers, retry patterns, graceful degradation | | Testing & Reliability | Test coverage gaps, missing health checks | | Duplicate Scanner | Finds existing solutions in your codebase | | Executive Summary | Generates high-level risk overview | | Runtime Verification | SSH to compare actual runtime vs code config |
v3.0 — Enterprise Analysis Engine
New in v3.0:
| Feature | Description | |---------|-------------| | Professional PDF Reports | Enterprise-grade PDFs — cover page, threat model, architecture overview | | AST Dead Code Detection | Unused imports, variables, functions, unreachable code | | Code Duplication Detection | Jaro-Winkler similarity; shows lines removable by merging | | STRIDE Threat Modeling | Auto-classifies findings into STRIDE categories | | DREAD Risk Scoring | 0-10 risk scores across 5 dimensions per finding |
# Generate PDF report
coverme report .coverme/scan.json -f pdf -o assessment.pdf
# Generate HTML report
coverme report .coverme/scan.json -f htmlBeautiful Reports
CoverMe generates professional HTML and PDF reports with:
Executive Summary
- Risk level assessment
- Top risks bullet points
- Findings by owner (Dev/DevOps/Architect)
Project Overview
- Auto-detected stack
- Architecture type
- Key components
Detailed Findings
- Severity scoring (DREAD)
- Code snippets with line numbers
- Copy-paste fix recommendations
- Claude Code prompts ready to use
Smart Filtering
- By severity
- By file
- By category
- By owner
Sample Report Sections
Executive Summary
-----------------
Risk Level: HIGH
Top Risks:
- SQL injection in user search allows database access
- Missing rate limiting enables brute force attacks
- Admin API exposed without IP restriction
Findings by Owner:
Developer: 5
DevOps: 3
Architect: 1Runtime Verification (SSH)
The killer feature: CoverMe can SSH into your servers and compare the actual runtime against your code configuration.
Why?
Your Dockerfile says USER appuser, but the container runs as root. Why? Because docker-compose overrides it. This is why vulnerabilities become exploitable.
Setup
# Add your server (one-time)
coverme verify setup --host [email protected] --name production
# That's it! Now /coverme will automatically:
# 1. Scan your code
# 2. SSH to production
# 3. Compare expected vs actual
# 4. Report any mismatchesWhat It Catches
| Issue | Example |
|-------|---------|
| User Mismatch | Dockerfile: USER appuser → Runtime: root |
| Security Context Ignored | K8s: runAsNonRoot: true → Pod runs as root |
| Ports Exposed | Code expects 3000 → Runtime has 3000, 6379, 5432 |
| Permissions Wrong | Expected: 755 → Actual: 777 |
Manage Environments
coverme verify list # List all configured servers
coverme verify remove production # Remove an environmentCustom Agents
Add your own specialized agents in seconds:
# Add a custom agent
coverme agent add "John" "Check all .env files for exposed secrets"
coverme agent add "Sarah" "Find regex patterns vulnerable to ReDoS"
coverme agent add "Compliance" "Check for GDPR and PCI-DSS violations"
# List your agents
coverme agent list
# Remove an agent
coverme agent remove "John"Your custom agents run alongside the 21 built-in agents and appear in the same report.
How It Works
COVERME ORCHESTRATOR
________________________________________________________________
| |
| PHASE 0: PROJECT DISCOVERY |
| [Auto-detect stack, auth, databases, frameworks] |
|________________________________________________________________|
| |
| PHASE 1: PARALLEL DISCOVERY (21 agents) |
| |
| Security Auth API Infra Data AI/LLM |
| | | | | | | |
| Database Redis Quality Logic Perf Dead |
| | | | | | | |
| PII Resil Network Design CTX Custom... |
| | | | | | | |
| +----+----+--------+----+----+--------+----+---+ |
| | | | |
| v v v |
|________________________________________________________________|
| |
| PHASE 2: CROSS-VALIDATION |
| [Challenge findings, find mitigations, detect false positives]|
|________________________________________________________________|
| |
| PHASE 3: CONSENSUS |
| [Merge, dedupe, calculate confidence, generate report] |
|________________________________________________________________|Installation
Requirements
- Node.js 18+
- Claude Code CLI installed and authenticated
- No external API keys needed (uses your Claude Code session)
Install
npm install -g coverme-scannerInitialize (once per project)
cd your-project
coverme initThis creates:
.coverme/folder for reports.claude/commands/coverme.mdslash command
Run
In Claude Code:
/covermeOr with arguments:
/coverme src/CLI Commands
# Initialize CoverMe in a project
coverme init
# Generate HTML report from JSON
coverme report scan.json -f html -o report.html
# Custom Agents
coverme agent add "Name" "Task description"
coverme agent list
coverme agent remove "Name"
# Help
coverme --helpConfiguration
CoverMe works zero-config out of the box, but you can customize:
Custom Agents
Create .coverme/agents.json:
{
"agents": [
{ "name": "Security Lead", "task": "Review all auth flows for OWASP compliance" },
{ "name": "Performance", "task": "Find N+1 queries and memory leaks" }
]
}Ignore Patterns
Add to .coverme/config.json:
{
"ignore": [
"node_modules",
"dist",
"*.test.ts",
"**/__mocks__/**"
]
}FAQ
Typically 2-5 minutes depending on codebase size. All 22 agents run in parallel.
CoverMe runs entirely through your local Claude Code session. Your code is processed by the same Claude API you're already using.
Not yet, but it's on the roadmap. Currently CoverMe requires an interactive Claude Code session.
Any language Claude understands: TypeScript, JavaScript, Python, Go, Rust, Java, C#, Ruby, PHP, and more.
CoverMe already has multiple validation agents that eliminate most false positives. For remaining cases:
- Add comments like
// Intentional: ...to document design decisions - Create custom agents for your specific patterns
- The Design Decision Detector will learn from these
Roadmap
- [ ] CI/CD integration (GitHub Action)
- [ ] VS Code extension
- [ ] Baseline comparison (diff between scans)
- [ ] Custom rule definitions
- [ ] Team dashboard
- [ ] Slack/Discord notifications
Contributing
Contributions are welcome! Please read our Contributing Guide first.
# Clone the repo
git clone https://github.com/vibecode/coverme-scanner.git
# Install dependencies
npm install
# Build
npm run build
# Test locally
npm linkLicense
MIT - see LICENSE
Built with Claude Code